Defense contractors aren’t the only ones who need to implement NIST cybersecurity requirements for CUI. The big question has always been whether other agencies would require proof of implementation via the CMMC program. The GSA just revised their process for assessing nonfederal systems handling controlled unclassified information and it’s way closer to NIST’s Risk Management Framework than CMMC.

Transcript

CMMC for GSA Contractors

[Music] All right, folks. It is January of 2025, and we are here in the studio at Summit 7 headquarters, always a cool place to record, joined by Mr. Daniel Acreage himself. We’ve got some somewhat breaking news. We’ve talked before about whether other agencies would adopt CMMC and what that might look like in terms of verifying that contractors are implementing NIST requirements to protect controlled and classified information. Well, here we are. The General Services Administration (GSA) has released CIO-IT Security-21-112 Revision 1, otherwise known as the IT Security Procedural Guide for Protecting Controlled and Classified Information in Non-Federal Systems and Organizational Processes. It doesn’t exactly roll off the tongue like CMMC, but this is GSA’s method for verifying that its contractors and vendors have implemented the requirements in NIST SP 800-171 Revision 3 and NIST SP 800-172 Revision 3. That’s what we’re talking about today.

If you haven’t seen this, you’re probably not alone. There was no formal rulemaking, no press cycle, no interviews, no blog posts. It’s a 45-page document laying out in detail the phases, subphases, procedures, POA&Ms, external assessments, showstopper requirements, and more—and almost no one is talking about it. Even if you’re a defense contractor and not a GSA contractor, it’s worth reviewing because it includes examples of what GSA thinks a fully satisfied or partially satisfied SSP entry should look like. We rarely get that kind of example language from DoD or NIST. It’s also valuable because it shows how much more straightforward CMMC appears compared to this GSA process, which is closely aligned to the NIST Risk Management Framework. If you’ve ever read NIST SP 800-37, you’ll recognize the structure immediately. The five phases of CIO-IT Security-21-112R1 are Prepare, Document, Assess, Authorize, and Monitor, with significant detail and substeps under each.

One of the more interesting aspects is that GSA appears to have taken a hybrid approach—borrowing concepts from CMMC and from RMF, especially given that it is built around Revision 3 of 800-171. What’s surprising is that this surfaced almost by accident through a LinkedIn message, despite the fact that thousands of companies likely fall under GSA’s purview. There’s no visible ecosystem yet—no obvious assessors advertising services, no major announcements from FedRAMP 3PAOs. And that’s notable, because the document states that assessments must be conducted by either a FedRAMP-accredited 3PAO or an assessment organization approved by the GSA Office of the CISO prior to selection. There’s no published list of approved organizations, and FedRAMP 3PAOs are generally more expensive than CMMC C3PAOs, which raises questions about cost and scalability.

A major takeaway here is that CMMC is not the requirement itself; it’s DoD’s method of verifying compliance with NIST SP 800-171. GSA could have chosen to leverage CMMC but instead created its own verification program. The document requires extensive upfront deliverables—FIPS 199 categorization templates, FedRAMP versus 800-171 comparison templates, project work breakdown structures, coordination meetings, and more. It feels closer to the DIBCAC assessment model than to the CMMC ecosystem, where a C3PAO conducts the assessment and certification status flows into SPRS. Under this GSA model, everything—including the assessment output—goes back to GSA for a case-by-case authorization decision, consistent with RMF. The challenge, of course, is how that scales across tens of thousands of companies.

GSA also introduces “critical security capabilities,” essentially identifying the controls it views as most important. Instead of a weighted point system like CMMC’s five-, three-, and one-point controls, GSA explicitly lists the requirements it considers critical and describes what it expects to see. That clarity is helpful. However, unlike CMMC’s pass/fail with limited POA&M flexibility, the outcome here appears less predictable because the final authorization decision is discretionary.

There are also ongoing requirements beyond the triennial assessment. Annual deliverables must be submitted to the GSA ISO, ISM, or contracting officer representative, including an updated SSP, an updated impact assessment, and a penetration test every year, or whenever there is a “major change” to the system—though that term is not clearly defined. Even more notable is the incident reporting requirement: suspected incidents must be reported within one hour. Historically, similar language in proposed rules has been softened during public comment to require reporting of confirmed incidents, not merely suspected ones. Because this document did not go through formal rulemaking, that suspected-incident-within-one-hour requirement remains as written.

Appendix C includes “showstopper security requirements” for the non-federal security approval process. These function similarly to CMMC’s highest-weighted controls: if you fail to implement them, you likely won’t make it through the authorization step. Interestingly, the specific controls GSA highlights as showstoppers may not perfectly align with what DoD treats as highest priority, despite both agencies working together on the FAR CUI rule and applying the same NIST baseline to the same category of data.

All of this raises broader questions. Will there be reciprocity if DoD moves to 800-171 Revision 3 under a future CMMC 3.0? Will companies need to maintain separate compliance tracks—Rev 2 for DoD and Rev 3 for GSA? Will agencies continue developing their own flavors of verification? The original goal of the FAR CUI rule was harmonization and standardization. Yet here we have GSA evaluating systems on a case-by-case basis under an RMF-style authorization process, which historically has struggled with reciprocity between authorizing officials.

So if you’re a GSA contractor, have you heard about this? Is this being enforced in practice? Were you aware of the 2022 version before Revision 1? If you’re a defense contractor doing GSA work, is this on your radar? It’s surprising that GSA didn’t make more noise about it, especially given how publicly other agencies have debated CMMC approaches in the past. Let us know what you’re seeing in the field, and we’ll continue tracking how this develops. We’ll see you next week.